Introduction

The SATA SECURE ERASE command functionality was proposed/designed to be an answer to the problem of “how can we completely erase all data on a SATA disk drive in a known and approved fashion”. Another goal that this command was supposed to meet was to execute this erase process in the shortest amount of time possible.

Background

Early SATA drives had a FEATURE set know as Host Protected Area (HPA) that allowed the drive to be securely partitioned into multiple volumes. Access to these volumes could be limited to “protect” data or programs on the various partitions.

Because these HPA partitions were protected they could not be erased unless you knew the password to unlock them. This meant that generic erase or purge programs could not access and erase these HPA partitions.

Also, SATA drives manage defective and spare blocks (LBAs) on their own, apart from any user intervention. This makes purging or erasing defect LBAs a problem.

The SECURE ERASE command was designed to erase ALL the drive, including any HPA partitions and including any bad remapped LBAs.

What exactly does it do? It does one complete overwrite pass of the entire drive, writing either all zeros or all ones on every LBA in all HPAs and including any defective blocks.

Remember this “one complete write pass” when you read below about just how long this process can take! For now we will just say that the process is thorough, but it’s not any fasterthan writing a full pass to the drive…

Who (in our marketplace) wants to do Secure Erase?

Your customers read news articles about how wonderful Secure Erase is. They read how it is consistent and recommend if not endorsed by government agencies. So they ask you “do you use Secure Erase? It’s the best you know…”

That’s the clincher – you can run a government/end-user approved method of drive erasure and not have to worry about how many passes, what data pattern, etc.
If you run Secure Erase you are good to go!

Tell your customers “yes, we use the SECURE ERASE command to wipe your disk drives” and everything is good.

If only it were as simple as that…

a SATA drive connected to a SATA mobo port

If you were someone with evil intent, this command could give you a easy and quick was to destroy data on disk drives. Send a few commands (there are three commands needed to start the SECURE ERASE process) and POW – you’ve nuked the disk.

Enter BIOS “protection”

To prevent this from happening most all motherboard manufacturers created a system whereby as soon as a SATA drive was powered up and recognized by the BIOS it would be SECURITY FROZEN.

Security Freeze and Un-Freeze

This SATA feature does as its name implies – it “freezes” any SECURITY ERASE commands from working.

A SATA drive connected to a SAS HBA

Let us show you!

You can’t beat free, right? Maybe, you have an old license of the Toolbox (1996 ring a bell, possibly 2006, maybe run a couple versions ago?). Possibly, you’ve been thinking about using the Suite for years but haven’t allocated the resources. Why not take 30-60 minutes of your time and see if the Suite could help with your Peripheral testing, screening, etc? We’ll tailor the training to your specific needs and be sure to cover all of your testing needs, answer questions and see if the STBSuite is right for you.

The STBSuite is constantly changing and we’re adding new tests, features, protocol support, logging options, and test parameters all the time. So, if you’ve been running that older version let us show you what’s changed! If you’ve been running the Toolbox for years, let us review your procedures and see if we can help cut down your testing times and increase your testing thoroughness. What have you got to lose?

A. “Data Execution Prevention (DEP) is a security feature that is indented to prevent viruses or malicious exploits from corrupting files on your computer system. There are hardware-enforced DEP methods and software-enforced DEP.

The STB Suite requires certain device drivers be installed on the target test system. This is the type of activity that makes DEP “nervous”, and so it is required that DEP be set to a mode that will allow our drivers to be installed.

This DEP setting must be correctly set before installing the STB Suite. If not set correctly the STB Suite installation will abort.

The correct DEP setting is “Turn on DEP for essential Windows programs and services only”

The incorrect DEP setting is “Turn on DEP for all programs and services…”

Chkinstall.exe

You will find the executable chkinstall.exe in your install folder. Run this program to check the integrity of your installation package and to check your DEP settings.

Note:

With most 64-bit versions of operating systems it is not possible for a program like chkinstall.exe to determine the systems DEP settings. In this case you will see a warning to that effect and you should follow the instructions below to be certain that DEP is set correctly.

Windows 7 and Server 2003/2008

These operating systems make setting DEP relatively easy. Here are the steps to check and/or set DEP before installing the STB Suite:

Press the Start + Break keys to enter Control Panel System

On the left of the System screen click “Advanced system settings” to bring up the System Properties page

Click on the Data Execution Prevention tab

Check to make sure that the top radio button is chosen as shown above

If the top choice is not picked then pick it now, then click Apply

Reboot your system now. DEP setting changes will not take effect until you have rebooted.

Server 2012, and some other 64-bit OS’s

These OS’s seem to have an option that will disallow the above DEP check/change process from being run. This is set as a security option, and the results will be that the DEP options described above will be grayed-out and cannot be changed.

There is information available on the web that would lead you to believe that you could achieve the proper DEP settings by using bcdedit via the commandbcdedit/set nx AlwaysOff

However, this does not actually work!

What you must do is follow these steps to first enable the System Properties->DEP dialog

Open an elevated command prompt window. This can be done by pressing Start and opening All Programs->Accessories.

Right-click on Command Prompt and choose Run As Administrator. This will open a command prompt window

If you would like to add to your skillset the STBSuite knowledge or testing skills please feel free to add a link to our product page or we would love your endorsement on what SCSI Toolbox has done for you.